Bank Thefts Show North Korea’s Hacking Prowess

Pyongyang’s hackers may have tried to steal $1 billion from a Bangladeshi bank.

North Korean hackers have taken down banking services, attacked U.S. government websites, and wiped the computers of Sony Pictures. Now, they may have carried out an operation that is unprecedented in the history of state-sponsored hacking: trying to steal $1 billion.

If confirmed, the attack would represent a significant escalation in Pyongyang’s hacking ability and cement its position as a fairly sophisticated — and highly daring — actor in cyberspace.

In February, hackers attempted to make off with $1 billion from Bangladesh’s central bank, but the transfer was stopped by suspicious bankers in New York. The thieves nonetheless pocketed $81 million. According to an analysis by antivirus giant Symantec, the attempted heist featured a piece of code associated with a series of audacious hacks believed to have been carried out by North Korea.

When hackers attacked South Korean banks in 2013 and Sony in 2014, they used what Eric Chien, the director of security response at Symantec, described as a highly distinctive piece of software used to delete data. That piece of software has now been discovered in the code used to execute the theft targeting the Bangladeshi central bank, as well as earlier attacks on banks in the Philippines and Vietnam. Security company BAE Systems has also found similarities in the wiping tool used in Bangladesh and against Sony.

“They’re showing skills that we haven’t seen before,” Chien said of the North Korean hackers.

The attack on the Bangladeshi bank managed to breach the highly protected Swift network, which more than 11,000 banks and financial institutions use to handle enormous sums of money on a daily basis — and which had previously been thought to be fairly secure.

That has raised fears about more pervasive vulnerabilities in a system that according to one estimate directs banks to pay out as much $5 trillion daily.

While North Korea is thought to have carried out a series of high-profile Internet crimes, the alleged foray into digital bank robbery would break new ground for Pyongyang. “If this was planned and executed by North Korea, this means a significant shift in their thinking,” said Jenny Jun, one of the authors of a Center for Strategic and International Studies report on North Korean cyber-capabilities. “They are basically using it as a separate source for generating revenue, which may come as a result of increased sanctions.”

Following nuclear and missile tests, the international community has ratcheted up sanctions on Pyongyang, placing further strain on the impoverished country’s tiny economy. The North Korean economy is estimated to be about $40 billion. Had the hackers succeeded in stealing $1 billion from Bangladesh’s central bank, they would have grown the economy by 2.5 percent.

But Jun is skeptical of the evidence marshaled by Symantec. Jun called the presence of the wiping tool associated with North Korea a “red flag” that the country may have been involved in the bank heist. But the evidence presented by the antivirus company doesn’t definitively prove Pyongyang’s responsibility.

She notes that investigators and researchers have so far not made public the command and control servers that were used to carry out the heist. They have also not determined where the stolen $81 million ended up.

Following that money trail will require resources that go beyond breaking down the code used and shows the limit.

Chien acknowledged in an interview with Foreign Policy that his determination that North Korean hackers were responsible for the attack hinges upon whether you believe statements by the National Security Agency and the FBI that North Korea was behind the Sony attack.

And on Friday, the U.S. government remained mum on who it believes was responsible for the attack on the banking system. A White House official speaking on the condition of anonymity told FP that Washington had not determined who was behind the attack. The NSA did not answer questions about the hack. The Office of the Director of National Intelligence — the coordinating body for the intelligence community — declined to comment.

Photo credit: KNS/AFP/Getty Images

Elias Groll is a staff writer at Foreign Policy covering cyberspace, its conflicts, and controversies. @eliasgroll